Friday Flash 05.21.21

Thank you for a Spectacular Spring Training Conference!

The Coalition would like to thank everyone who attended our virtual Spring Training Conference – The Biden Administration’s Priorities and the Role of Acquisition. Your participation helped make the Spring Conference a successful opportunity for the entire contracting stakeholder community to engage in dialogue about critically important procurement-related developments. We would like to recognize our keynote and featured speakers who were crucial to the success of the conference:

  • Michael Parrish, Principal Executive Director and Chief Acquisition Officer, OALC, VA
  • Sonny Hashmi, FAS Commissioner, GSA
  • Michael Missal, Inspector General, VA
  • John Tenaglia, Principal Director, DPC
  • Tom Howder, Deputy Commissioner, FAS, GSA
  • Kim Herrington, Director, Industrial Base Acquisition Portfolio Management, DoD
  • Phil Christy, OALC Deputy Executive Director, VA
  • Col Markus Gmehlin, Chief of Pharmacy, DHA
  • Andrew Centineo, Executive Director, Procurement and Logistics, VHA

Additionally, we recognize the significant contributions of the numerous other Government speakers during our general sessions and breakout sessions. The following speakers provided highly informative remarks for, and facilitated important exchange among those in attendance:

  • Shelby Oakley, Director, GAO
  • Dan Dagher, National Risk Management Center (NRMC) Supply Chain Risk Management Initiative Lead, CISA, DHS
  • Judith Zawatsky, Assistant Commissioner, Office of Systems Management, GSA
  • Stephanie Shutt, Director, MAS PMO, GSA
  • Steve Sizemore, Project Manager, MAS PMO, GSA
  • Holly Elwood, Senior Advisor, Environmentally Preferable Purchasing Program, EPA
  • Porter Glock, Procurement Analyst, Office of Management and Budget, Office of Federal Procurement Policy
  • Tiffany Hixson, Assistant Commissioner, Office of Professional Services & Human Capital Categories, GSA
  • Laura Stanton, Assistant Commissioner, Information Technology Category, GSA
  • Crystal Philcox, Assistant Commissioner, Enterprise Strategy Management, GSA
  • Bob Woodside, Deputy Director, GSA
  • Maria Viscione, Supervisory Contract Specialist, GSA
  • Teresa McCarthy, Center Director, GSA
  • Kim Kittrell, Branch Chief, GSA
  • George Prochaska, FAS Regional Commissioner, GSA
  • Haven Wynne, Supply Chain Management Branch Chief/Program Manager, GSA
  • Keith Jeffries, Contract Operations Division Director, GSA
  • Sheri Meadema, Director of Program Operations, Professional Services and Human Capital, GSA
  • Cheryl Thornton, Director ITC Schedule 70 Contract Operations, GSA
  • Giovanni Onwuchekwa, Deputy Director ITC, GSA
  • Dan Shearer, FSS Director, VA
  • Steve Bollendorf, Chief, DLA Med/Surg Prime Vendor Program
  • Antoine Broughton, Director, Direct Access Program & Strategic Outreach and Communications, OSDBU, VA
  • David Loines, Director, Office of Government Contracting, SBA
  • Charlotte Phelan, Assistant Commissioner, Office of Travel, Transportation, and Logistics, GSA
  • Erv Koehler, Assistant Commissioner, Customer Accounts and Stakeholder Engagement, GSA
  • Mark Lee, Assistant Commissioner, Office of Policy and Compliance, GSA
  • Brittney Chappell, Director, Office of Acquisition, Technology Transformation Services, GSA
  • Keith Nakasone, Deputy Assistant Commissioner, Acquisition, Office of IT Category, GSA
  • Scott Calisti, Director, Contract Policy, DPC
  • Jeff Koses, Senior Procurement Executive, GSA
  • Jacyln Rubino, Executive Director, Strategic Programs Division, DHS
  • Dr. Julia Trang, Strategic Sourcing Pharmacist, Industry Liaison, DHA
  • Carlton Shufflebarger, Acting Executive Director of IT Services, OITC, GSA
  • Joanne Woytek, SEWP Program Manager, NASA
  • Keith Johnson, Contracting Officer, NITAAC
  • Rob Coen, Director, Professional Services Program Management Office, PS-MAS and OASIS, GSA
  • Ana Eckles, Director of Human Capital Solutions, GSA
  • Mark Dunkum, Director, Acquisition Operations, GSS Portfolio, GSA
  • Steve Smith, Director, GSS Central Office Acquisition Division, GSA
  • Paul Mack, Director, Office of Retail Operations, GSA
  • Jill Akridge, Director of Customer Account Management, Professional Services and Human Capital Portfolio, GSA
  • Adam Soderholm, Program Executive, Category Management PMO, GSA
  • Lee Tittle, Project Manager, GSA
  • Paul Szymanski, OASIS/BIC MAC ConOps Chief, GSA
  • Ryan Schrank, Center Director, GSA
  • Dena McLaughlin, FAS Regional Commissioner, GSA
  • Meg Sutliff, Supervisory Contracting Officer, GSA
  • Ivana Henry, Business Development Director, GSA
  • John Breen, IWAC Projects Branch Chief, GSA
  • Linda Valdes, IWAC Contracts Administration Branch Chief, GSA

Our industry participants also played a key role in the preparation and execution of the conference. Thank you to our members who served as moderators for the various panels and breakout sessions. Thank you to the following individuals who served as speakers and shared their expertise:

  • David Dowd, Partner, Mayer Brown
  • Lorraine Campos, Partner, Crowell & Morning
  • Jonathan Aronie, Partner, Sheppard Mullin
  • Alex Sarria, Government Contracts Member, Miller & Chevalier
  • Joy Sturm, Partner, Hogan Lovells
  • Stephen Ruscus, Partner, Morgan Lewis
  • Jonathan Aronie, Partner, Sheppard Mullin
  • Jason Miller, Executive Editor, Federal News Network
  • Jean Heilman Grier, Principal and Manager, Trade Practice, Djaghe LLC

We would also like to highlight and thank our sponsors for their continued support of the Coalition.

Title Sponsors
                                            AvKare
                               
Gold Sponsors
CACI
Sheppard Mullin
                                                                  GDIT
Concordance Healthcare Solutions
                                              GSMS

The Coalition remains dedicated to delivering high quality engagements that promote dialog and further the goal of bringing common sense to government procurement. We look forward to your participation in future events. We hope to see all of you on August 18, when we resume our annual charitable golf event in memory of Joe Caggiano that supports our Endowed Scholarship Fund for a veteran at GWU. We are also considering supporting guide dogs for veterans as part of this year’s tournament.  In the meantime, please accept our sincere appreciation and look for more meetings and events in the near future related to the topics discussed at Conference.

 

Announcing the Winners of the Spring Conference “Games”

Congratulations to John Dischert of First Nation Group for being the winner of the Coalition’s 2021 Virtual Spring Conference Game, finishing with 425 points! We would also like to congratulate the runner-up, Debra Dugas of MSC Industrial Supply, who scored 315 points, and the third-place finisher, Dale Johnsons of Avaya, who finished with 255 points. Thank you to all of the participants for your engagement during the conference.

Register for GSA FAST2021: Define, Procure, Deliver!

The General Services Administration (GSA) is hosting FAST2021: Define, Procure, Deliver! This three-day virtual training conference will take place June 15-17 from 1-4 pm EST. The event will cover key stages of the buyer/seller journey in the federal marketplace. GSA acquisition and category experts will share tools and techniques to help you translate business problems into clear requirements, apply innovative approaches to the buying process, manage performance for results, and explore emerging trends. The conference is offered at no cost. Click here to register.

Legal Corner: New Executive Order on Cybersecurity Promises Major Changes Ahead for Government Contractors … and Beyond

Authors: Michael Vatis and Daniel W. Podair, Steptoe & Johnson

The Legal Corner provides the legal community with an opportunity to share insights and comments on legal issues of the day. The comments herein do not necessarily reflect the views of The Coalition for Government Procurement. 

On May 12, 2021, President Biden signed a landmark Executive Order to improve and modernize the federal government’s cybersecurity infrastructure. The Executive Order comes in the wake of numerous cyber incidents targeting the United States, including the so-called SolarWinds, Microsoft Exchange, and Colonial Pipeline incidents. The Executive Order will directly affect government contractors, including companies that sell software to the government or provide IT services. More broadly, but less directly, the Executive Order is likely to influence the informal, and eventually formal, development of cybersecurity standards for software and hardware makers and providers of online services generally, even when the government is not a customer.

President Biden’s Executive Order takes the following steps:

  • Removing barriers to sharing threat information
    • The Executive Order helps facilitate the sharing of cyber threat and incident information between IT service providers and federal government agencies by (1) removing contractual barriers to such exchanges and (2) requiring the reporting of information about cyber incidents to federal agencies.
  • Strengthening federal government cybersecurity
    • The Executive Order requires the federal government to adopt cybersecurity best practices including “advance[ing] toward Zero Trust Architecture; accelerat[ing] movement to secure cloud services…central[izing] and streamlin[ing] access to cybersecurity data to drive analytics for identifying and managing cybersecurity threats; and invest[ing] in both technology and personnel to match these modernization goals.” As part of these efforts, federal agencies are ordered to “adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with Federal records laws and other applicable laws.”
  • Enhancing software supply chain security
    • The Executive Order mandates the establishment of minimum-security standards for software sold to the federal government. In particular, the standards must address:
      • “Secure software development environments”;
      • “Generating and, when requested by a purchaser, providing artifacts [e.g. data] that demonstrate conformance to the processes” implemented to ensure secure software development environments;
      • “Employing automated tools, or comparable processes, to maintain trusted source code supply chains, thereby ensuring the integrity of the code”;
      • “Employing automated tools, or comparable processes, that check for known and potential vulnerabilities and remediate them, which shall operate regularly, or at a minimum prior to product, version, or update release”;
      • “Providing, when requested by a purchaser, artifacts of the execution of the tools and processes described [in the prior two bullets] and making publicly available summary information on completion of these actions, to include a summary description of the risks assessed and mitigated”;
      • “Maintaining accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes, and performing audits and enforcement of these controls on a recurring basis”;
      • “Providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website”;
      • “Participating in a vulnerability disclosure program that includes a reporting and disclosure process”;
      • “Attesting to conformity with secure software development practices”;
      • “Ensuring and attesting, to the extent practicable, to the integrity and provenance of open source software used within any portion of a product.”
    • The Executive Order also directs development of a pilot program to create a labeling system which would allow the government (and the public) to determine whether software was developed securely.
  • Establishing a Cybersecurity Safety Review Board
    • The Board, which is to be led by individuals from the government and the private sector, will convene following major cybersecurity incidents to review and assess such incidents, mitigation, and response efforts. This idea has been likened to the National Transportation Safety Board (NTSB) for transportation incidents.
  • Standardizing the federal government’s playbook for responding to cybersecurity vulnerabilities and incidents
    • The Executive Order promotes the implementation of “standardized response processes [to] ensure a more coordinated and centralized cataloging of incidents and tracking of agencies’ progress toward successful responses.” Various federal agencies are required to coordinate to “develop a standard set of operational procedures (playbook) to be used in planning and conducting a cybersecurity vulnerability and incident response activity respecting [Federal Civilian Executive Branch] Information Systems.”
  • Improving detection of cybersecurity vulnerabilities and incidents on federal government networks
    • The Executive Order requires the federal government to “employ all appropriate resources and authorities to maximize the early detection of cybersecurity vulnerabilities and incidents on its networks.” Such measures must “include increasing the Federal Government’s visibility into and detection of cybersecurity vulnerabilities and threats to agency networks in order to bolster the Federal Government’s cybersecurity efforts.”
  • Enhancing the federal government’s investigative and remediation capabilities
    • The Executive Order requires the formulation of “policies for agencies to establish requirements for logging, log retention, and log management.
  • Introducing National Security System Requirements
    • The Executive Order mandates the application of the requirements set forth in the Order to National Security Systems (i.e., non-civilian systems).

The Executive Order constitutes a major step forward in strengthening cyber defenses against the sorts of attacks that have bedeviled government agencies and private companies for decades now. Government contractors will need to comply with the new requirements that will result from the Executive Order. But even more broadly, the Executive Order and the rules that flow from it will have an impact on all companies by creating new expectations for threat and incident reporting and new standards (whether informal or formal) for cybersecurity.

 

Legal Corner: President Biden’s Cybersecurity Executive Order Focuses on IT and Software Supply Chain Vulnerabilities

Authors: Alexander Canizares and Paul Korol, Perkins Coie

The Legal Corner provides the legal community with an opportunity to share insights and comments on legal issues of the day. The comments herein do not necessarily reflect the views of The Coalition for Government Procurement. 

On May 12, 2021, President Biden signed a sweeping Executive Order (EO) to protect federal government networks and software supply chains against increasing threats of attacks from malicious cyber actors, setting the stage for future rulemaking and amendments to the Federal Acquisition Regulation (FAR) focusing on IT and software sold to the government.

Citing the need for the federal government to “partner with the private sector” to protect the nation against cyber threats from nation-state actors and cyber criminals, the EO urges “bold changes and significant investments” in cybersecurity. Among other things, the EO calls for:

  • Requiring IT and communication contractors supporting the government to share information with agencies about cyber threats and to report cyber incidents.
  • Accelerated adoption of cloud networks and deployment of multifactor authentication and other practices to “modernize” the government’s cybersecurity protections.
  • New security standards for software sold to the government to address vulnerabilities in software supply chains, including requiring developers to provide greater visibility into their software and make security data publicly available. The order also establishes a consumer labeling program to identify whether software products are securely developed.
  • Establishing a Cybersecurity Safety Review Board, co-chaired by government and private sector leads, to analyze significant cyber incidents and make recommendations.
  • Cybersecurity event log requirements for federal departments and agencies.

The EO follows a series of high-profile cyberattacks highlighting vulnerabilities in federal and private sector networks, including the ransomware attack on the Colonial Pipeline, resulting in gas shortages earlier this month. Calling this and other recent incidents a “sobering reminder,” a White House statement accompanying the EO states that the order is “the first of many ambitious steps” the administration is taking to “modernize” national cyber defenses and respond to cyberattacks.

This update provides an overview of the EO and its implications for federal contractors, including software vendors and IT contractors.

Cyber Incident Reporting and Information Sharing Requirements

Section 2 of the EO calls for removing barriers for IT and Operational Technology (OT) service providers to share cyber threat and incident information with the government to help deter, prevent, and respond to cyber incidents.

According to the EO, IT and OT service providers have “unique access to and insight into cyber threat and incident information on Federal Information Systems” but contract terms or restrictions may limit their ability to share such information with federal departments and agencies responsible for investigating or remediating cyber incidents, such as the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).

To remove such barriers, the EO adopts a timeline for changing existing contract clauses through regulatory rulemaking. Within 60 days of the EO, the Office of Management and Budget (OMB) will recommend contract language in the FAR and Defense FAR Supplement (DFARS). Within 90 days of receipt of those recommendations, the FAR Council is directed, as appropriate, to publish amendments to the FAR implementing the reporting requirements.

According to the EO, any recommended contract language must ensure that IT and OT service providers “collect and preserve” certain data “on all information systems over which they have control” and must share such data related to “cyber incidents or potential incidents” with agencies with which they have contracted as well as potentially other agencies. The EO also indicates that service providers will be required to collaborate with investigative agencies.

The EO also directs the establishment of new cyber reporting requirements for “Information and Communication Technology” service providers that contract with the government. It directs the Department of Homeland Security (DHS), in consultation with other agencies, to recommend contract language to the FAR Council to require such contractors to “promptly” report cyber incidents to agencies, CISA, and the FBI within certain time periods (e.g., not to exceed three days for “severe” incidents).

Once the FAR Council publishes a rule, agencies will be required to update their agency-specific cybersecurity requirements to remove any “duplicative” requirements. The EO calls for “standardizing” common cybersecurity contractual requirements across federal agencies.

Prioritized Use of Cloud Services and Other Security Requirements for Federal Agencies

The EO also outlines the need for the federal government to increase its use of cloud services, among other practices to “modernize” the government’s approach to cybersecurity.

Section 3 of the EO calls upon agencies to adopt security best practices that include “accelerat[ing] movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS)[.]” Within 60 days of the date of the EO, the head of each agency must update existing plans to “prioritize resources for the adoption and use of cloud technology” and develop a plan to implement Zero Trust Architecture, a security model that eliminates implicit trust in any one element, node, or service.

The EO also requires the development of security principles governing Cloud Service Providers (CSPs) for incorporation into agency modernization efforts. Within 90 days of the order, OMB, CISA, and the General Services Administration (GSA) acting through FedRAMP, must develop a federal cloud-security strategy and provide guidance to agencies. CISA is also directed to develop and issue a cloud-service governance framework within 90 days.

The accelerated shift to cloud-based systems will likely expand opportunities for CSPs to support federal agencies and further encourage contractors to move their networks to the cloud.

The EO also requires agencies, within 180 days, to adopt multifactor authentication and encryption for data at rest and in transit, to the maximum extent possible.

Software Supply Chain Security and Consumer Labeling

The EO lays the groundwork for regulation targeting the security of software in the government’s supply chain. Citing a lack of transparency and adequate controls in certain commercial software, Section 4 of the EO states that there is a “pressing need” to implement “more rigorous and predictable” mechanisms to ensure that software products are secure, with a priority on addressing the security and integrity of “critical software,” which the EO describes as software that performs functions critical to trust.

The EO directs the National Institute of Standards and Technology (NIST) to issue guidance identifying practices to enhance security of software in the government’s supply chain. Such guidance must include standards, procedures, or criteria in ten areas, including secure software development environments, using automated tools to check for vulnerabilities, and creating a “Software Bill of Materials” that records components used in building software. The EO also instructs NIST to develop minimum standards for vendors to use when testing their software source code, including identifying recommended types of manual or automated testing.

Within 30 days of the issuance of NIST’s guidance, agencies will be directed to comply with such guidelines when procuring software. Within one year of the date of the EO, DHS, in consultation with other agencies, must recommend contract language to the FAR Council implementing the changes in software supply contracts. After a final rule is issued, agencies will have to “remove” any noncompliant software products from their procurements.

The EO also creates a pilot program to establish an “energy star” type of consumer label so that the government and public can quickly determine whether software and Internet of Things (IoT) devices were developed securely. Within 270 days of the order, NIST, in coordination with the Federal Trade Commission (FTC) and other agencies, must identify criteria for the labeling program. The White House’s statement accompanying the EO states: “We need to use the purchasing power of the federal government to drive the market to build security into all software from the ground up.”

Cyber Safety Review Board

Section 5 of the EO establishes a new Cyber Safety Review Board charged with reviewing and assessing “significant cyber incidents” affecting federal and nonfederal systems, threat activity, vulnerabilities, mitigation activities, and agency responses. The board will comprise federal officials, including representatives of the DoD, the U.S. Department of Justice (DOJ) , CISA, the National Security Agency (NSA), and the FBI, as well as representatives from “appropriate private-sector cybersecurity or software suppliers” as determined by DHS. According to the White House, the Cyber Safety Review Board is modeled after the National Transportation Safety Board (NTSB), which investigates airplane crashes and other incidents.

Standardizing the Government’s “Playbook”

Section 6 of the EO calls for a “standardized” response to cybersecurity vulnerabilities and incidents, citing the fact that varying approaches across agencies hinder the ability of lead agencies to analyze vulnerabilities and incidents more comprehensively. Within 120 days of the EO, DHS is required to adopt a standard set of operational procedures (a “playbook”) for agencies to use in planning and conducting cybersecurity vulnerability and incident response.

Final Thoughts

The EO marks a significant step to strengthen—and standardize—cybersecurity protections across the government, signaling the Biden administration’s intent to move away from agency-specific policies in favor of a uniform approach with expanded participation from industry.

Many details will need to be worked out through a rulemaking process. IT and software vendors, as well as companies that make internet-connected products, should prepare for an extensive implementation period that ultimately will result in new contract requirements in the FAR.

Agencies will have to move quickly to meet near-term deadlines under the EO, including updating plans to prioritize cloud technology within 60 days and adopting multifactor authentication and encryption for data within 180 days. The development of a cloud-security strategy within 90 days will require coordinating with the FedRAMP cloud-security program.

Other key questions for rulemaking will include to whom the data-sharing requirements will apply, what types of information must be tracked and reported, and how such data will be used and maintained within the government.

Defense contractors monitoring the EO’s implementation should also watch for any impact it may have on DoD’s interim rule implementing its Cybersecurity Maturity Model Certification (CMMC) program and other initiatives to safeguard data on contractor-managed networks.

 

Legal Corner: Enough’s Enough: A New Executive Order Signals Sweeping Changes to Federal Cybersecurity Requirements

Author: Alex Major, McCarter & English

The Legal Corner provides the legal community with an opportunity to share insights and comments on legal issues of the day. The comments herein do not necessarily reflect the views of The Coalition for Government Procurement. 

Akin to the exasperations of the newly minted “homeschool teachers” the pandemic has created, the Biden administration’s recent Executive Order on Improving the Nation’s Cybersecurity (Order) is a mix of sound logic and utter frustration. The lengthy and sweeping Order is resoundingly one of the most comprehensive national cybersecurity overhauls to date and ushers the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) into a forward-leaning position of leadership that has been missing since its inception. In addition to requiring significant improvements to the cybersecurity posture of the Federal Civilian Executive Branch (FCEB) agencies, the Order also prescribes (i) the implementation of cyber incident sharing requirements between the Government and private industry; (ii) the necessary demands of security on software development; and (iii) the inclusion of software bills of materials, operational technology (e.g., industrial machining), and the internet of things in the fabric of cybersecurity regulations. Set against the backdrop of an ambitious timeline that calls for drastic changes before the end of this fiscal year—i.e., September 30, 2021—the Order requires that the Federal government scale administrative mountains at breakneck speed while simultaneously working with the industry and developing new regulations with which contractors will have to comply in short order. Accordingly, while a brief summary of the Order is provided below, the size and magnitude of the Order call for a larger analysis. Accordingly, we have prepared a user-friendly Analysis of the Order that includes considerations for manufacturers and government contractors. Additionally, to better explain the compliance timeline associated with the Order, a listing of the EO Key Dates is provided for convenience.

Section 1 – Policy

The Federal government must better its ability to detect, identify, deter, protect against, and respond to cyber threats and will need to partner with private industry in order to do it.

Section 2 – Removing Barriers to Sharing Threat Information

Contracts with providers of federal information technology, operational technology, and cloud services will need to be altered to better allow for sharing of cyber threat information. This effort will result in changes to existing contracts and the development of new and/or revised FAR clauses.

Section 3 – Modernizing Federal Government Cybersecurity

The Government will adopt Zero Trust Architecture in its systems and demand it from those upon which it relies (i.e., cloud service providers) as part of its modernization. This effort essentially means that systems will treat all users as potential threats and require additional authentication. Cloud service providers should expect to see activity here as CISA and the Federal Risk and Authorization Management Program cultivate an enhanced federal cloud-security strategy to provide implementation guidance to FCEB agencies.

Section 4 – Enhancing Software Supply Chain Security

The Government is demanding software manufacturers address build-transparency deficiencies and implement security by design, especially for products that will be identified as or deemed “critical software.” It specifically calls for industry assistance in better understanding the implications of the order and demands that a Software Bill of Material be provided. NIST guidance will be issued over the coming months to distill the Government’s expected procedures for software supply chain security. A new FAR clause is also anticipated.

Section 5 – Establishing a Cyber Safety Review Board

Establishes a Cyber Safety Review Board, presently consisting of members from DHS, DoD, DoJ, CISA, FBI, NSA, and private-sector cybersecurity or software suppliers chosen by the Secretary of Homeland Security. The intent of the board is to examine and assess “significant cyber incidents” that occur in federal and nonfederal systems to better understand and evaluate threat activity, vulnerabilities, mitigation activities, and agency responses. The timeline of the board’s establishment is not nearly as clear as the timelines in the Order’s other sections. It is somewhat surprising that the board lacks representation from the Department of Energy and NIST.

Section 6 – Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents

This effort is intended to standardized vulnerability and incident response processes across the FCEB to provide for a more coordinated and centralized cataloging of incidents and tracking of agencies’ progress toward successful responses.

Section 7 – Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks

Requires the use of “Endpoint Detection and Response” technology throughout the Federal government to better detect suspicious system behavior, block malicious/suspicious activity, and facilitate incident response. The Order requires the development of formalized information-sharing procedures between DoD and DHS.

Section 8 – Improving the Federal Government’s Investigative and Remediation Capabilities

Establishes and prioritizes the requirements for network and system logging events and their retention by Federal agencies in order to facilitate, when needed, incident response investigations. Notably, the Order directs that such logs be encrypted and periodically verified to ensure their integrity.

Section 9 – National Security Systems

Requires that the defense and intelligence communities adopt any requirements in the Order that are not already in operation through their respective regulations.

Section 10 – Definitions

Notable definitions provided include those of “auditing trust relationship,” “Software Bill of Materials,” and “Zero Trust Architecture.”

Section 11 – General Provisions

Addresses the “administrivia” of implementing the Order.

As the text of the Order and its laundry list of deliverables indicate, 2021 will be a significant year in the area of cybersecurity, and significant regulatory changes are afoot. Faced with equal parts risk and opportunity, federal contractors must be prepared to comply, and those in the cloud, IT, and IT services sectors (including distributors, resellers, etc.) should begin taking immediate actions to better understand their respective supply chains for the products and services offered to federal customers. At bottom, while the Order is brimming with the concept of strength through public-private partnerships, it is equally full of weariness and disappointment brought on by years of cyberattacks, data breaches, intrusions, and thefts. It’s clear that, for this administration, enough’s enough.

 

Join the Coalition’s “Green Committee”   

During this week’s Spring Training Conference, we heard more from GSA, the EPA and the Office of Management and Budget about the Administration’s plans to advance its Sustainability goals and the likelihood of new green requirements for contractors. To ensure that our members are aware of the coming requirements and to facilitate a dialogue with the Government on this important issue, the Coalition is reestablishing its “Green Committee.”  

The purpose of the Green Committee is to inform members about environmental compliance requirements and to provide input to the Government, as appropriate, as new procurement policies are developed. All Coalition members are welcome to join the Green Committee to receive notices about future meetings and updates on environmental developments. To join the committee, please email Aubrey Woolley at awoolley@thecgp.org.

 

VA Releases Dear Manufacturer Letter for Covered Drugs

During the VA FSS break-out session of the Coalition for Government Procurement’s Virtual Spring Training Conference, VA announced that its latest Dear Manufacturer Letter connected with VA’s Covered Drug Pricing Program had just been released and is on posted to the VA FSS website. To locate it online, please note that the direct hyperlink to the letter is embedded under the Important Notice section near the top of the page at https://www.va.gov/opal/nac/fss/publicLaw.asp.

 

GSA Seeking Feedback on Draft Cloud Policy 

GSA has drafted a Cloud Consumption policy and has provided the Coalition with an opportunity to submit feedback. The draft policy on the Procurement of Cloud Computing on a Consumption Basis is posted here. GSA is particularly interested in industry’s input on how to address price increases for cloud computing services that have floating prices in the commercial marketplace. They have requested our feedback by May 28. Please send your input for the Coalition’s comments by COB on Tues., May 25 to Aubrey Woolley at awoolley@thecgp.org. There will also be a member call on May 25 at 10am EST.  To receive the dial-in for the call, please email Michael Hanafin at mhanafin@thecgp.org.  The Coalition sincerely appreciates GSA for its request for industry feedback on this important initiative.